On the topic of Amplification

Alexander Lyamin

<la@qrator.net>

Usual suspects

User Datagram Protocol

• DNS

• NTP

• SSDP

• SNMP

• Chargen

Weighted

• X – absolute number of amplifiers that fall in

• Y - axis amplification multiplier

DNS

0

20000

40000

60000

80000

100000

120000

140000

160000

13 14 15 16 18 19 20 21 23 24 25 26 28 29 30 31 33 34 35 36 38 39 40 41 43 44 45 46 47 49 50 51 52 54 55 56 57 59 60

NTP

0

2000

4000

6000

8000

10000

12000

14000

35 90 145 200 255 310 365 420 475 530 585 640 695 750 805 860 915 970 1025 1080 1135 1190 1245 1300 1355

Chargen

0

50

100

150

200

250

300

350

400

12 23 34 45 56 67 78 89 100 111 122 133 144 155 166 177 188 200 211 222 233 244 255

SNMP

0

50000

100000

150000

200000

250000

300000

30 32 34 37 39 41 43 46 48 50 53 55 57 59 62 64 66 69 71 73 75 78 80

SSDP

0

50000

100000

150000

200000

250000

300000

350000

400000

60

63

66

69

72

75

78

81

84

87

90

93

96

99

10

2

10

5

10

8

11

1

11

4

11

7

12

0

12

3

12

6

12

8

13

1

13

4

13

7

14

0

14

3

14

6

14

9

15

2

15

5

15

8

16

1

16

4

16

7

17

0

17

3

17

6

17

9

and measured

• X integral multiplier in IPv4 on

• Y timeline since 1 June to 5th October 2014

Integral Multiplier

0

200000000

400000000

600000000

800000000

1E+09

1.2E+09

1.4E+09

1.6E+09

1.8E+09

Chargen

NTP

DNS

SNMP

SSDP

Total

Bottom line

Road notes:

1. 1.6B packets per one packet of a 1st stage –WOW!

2. SSDP is the king of a day.

Hypothesis:

We’re all not dead (yet) because SSDP amplifiers situated at periphery of the network.

Its not about how much packets you can generate with 2nd stage – its about how many will reach the target.

mailto:melanor9@gmail.comSubject: %ASN amp.report

Questions?